Ransomware, Threat Intelligence

HellCat, Morpheus RaaS operations leverage similar payloads

Malware attack virus alert. Person use smartphone with virtual warning sign with ransomware word. warning notification, Cyber threats.

SiliconAngle reports that nearly identical ransomware payloads that only differed in contact information and victim-specific details have been utilized by the HellCat and Morpheus ransomware-as-a-service operations, which have targeted high-profile organizations since their emergence in mid and late 2024, respectively.

Aside from leveraging Windows Cryptographic Application Programming Interface for encrypting data aside from critical system files, both HellCat and Morpheus had ransom notes ordering victims to access their respective .onion portals using the provided credentials, according to a SentinelOne analysis. Despite similarities with the Underground Team ransomware gang that may suggest a shared builder application or codebase, HellCat and Morpheus were observed by SentinelOne researchers to have structurally and functionally different payloads indicating independent development. Such findings highlight the importance of implementing more robust threat detection and defense strategies informed by the shared resources employed by various ransomware groups, said researchers.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds